Supplier/Vendor Code of Conduct

This Code applies to all suppliers, vendors, contractors, consultants, agencies, affiliates, resellers, and other third parties (collectively, "Vendors") that provide goods or services to, for, or on behalf of ClinicBooking (Spyface Tech Company, LLC), including data processors and technology partners. It is separate from our professional marketplace rules for clinics and clinicians; those participants must also comply with our Professional Participation and related policies.

• Anti-bribery & corruption: No bribes, kickbacks, facilitation payments, or improper benefits. Comply with FCPA, UK Bribery Act, and all local anti-corruption laws. Maintain accurate books/records reflecting all transactions.
• Anti-kickback / fee-splitting: No unlawful referral fees, fee-splitting, rebates, or inducements in connection with health services or listings. Marketing fees must be arm's-length and in writing.
• Fair competition & antitrust: No price-fixing, bid-rigging, market/customer allocation, or exchange of competitively sensitive information.
• Conflicts of interest: Disclose any actual or potential conflicts involving ClinicBooking personnel or decision-making processes. Gifts/hospitality: modest and infrequent; never cash; $100 USD per individual per year cap without written pre-approval.
• Accurate representations: No false, misleading, or unsubstantiated claims (including clinical, efficacy, or safety claims).
• Books & records: Keep complete, accurate records sufficient to demonstrate compliance with this Code and applicable law.

• No forced, trafficked, or child labor. Respect the prohibition on modern slavery and human trafficking. Comply with all wage, hour, and working-conditions laws.
• Non-discrimination & inclusion: No discrimination based on protected characteristics. Provide a workplace free from harassment and unlawful retaliation.
• Freedom of association: Respect lawful employee rights to organize and bargain collectively.

• Provide a safe, healthy workplace; comply with OSHA or local equivalents.
• Environmental compliance, including lawful handling/disposal of e-waste and hazardous substances; observe applicable standards (e.g., RoHS/REACH where relevant).
• Data center suppliers: disclose region/availability zones and high-level energy efficiency posture upon request.

Vendors must comply with applicable privacy laws (e.g., U.S. state privacy laws, GDPR, UK GDPR) and ClinicBooking's data processing requirements. If Vendor processes personal data (including consumer health data) for ClinicBooking, Vendor must execute a Data Processing Addendum (DPA) and, where required, appropriate cross-border transfer mechanisms (e.g., SCCs/UK IDTA). PHI/HIPAA: If services involve PHI for ClinicBooking as a HIPAA Business Associate, a HIPAA BAA is required; otherwise Vendor must not solicit, store, or process PHI.

Minimum Security Controls (baseline)

• Protect ClinicBooking Confidential Information; use only for the contracted purpose; no unauthorized disclosure.
• Respect intellectual property and open-source license obligations; no unauthorized use of ClinicBooking marks.
• Return or securely destroy ClinicBooking data at end of engagement per contract.

• No spam or unlawful telemarketing (comply with TCPA, CAN-SPAM, CASL as applicable).
• No deceptive advertising, dark patterns, or unsubstantiated medical claims. Follow platform brand/badge usage rules.
• Affiliate/partner campaigns must use approved creatives, respect geo/state rules for healthcare marketing, and honor user opt-outs.

Vendor must comply with OFAC, U.S. Export Administration Regulations (EAR), and applicable EU/UK sanctions/export laws. Vendor represents it is not owned/controlled by, or acting for, a sanctioned party and will not route ClinicBooking goods/services to embargoed regions.

No subcontracting of ClinicBooking work or data processing without our prior written consent. Flow down this Code and all applicable contractual/privacy/security obligations to approved sub-suppliers and verify their compliance.

Note: ClinicBooking may raise or waive limits based on risk and service scope.

• Upon reasonable notice, cooperate with compliance reviews (questionnaires, documentation, remote or on-site visits).
• Provide timely responses to remediation findings and track closure.

Report suspected violations of this Code, law, or contract promptly to: hello@spyface.com. Retaliation against good-faith reporters is prohibited.

• Corrective action plans, suspension of work, de-listing from our vendor roster, or termination for cause.
• Indemnification for losses arising from Vendor breach; other remedies available at law or equity.

ClinicBooking encourages diverse suppliers (e.g., small, minority-, women-, veteran-, disability-owned) and sustainable practices (reduced waste, responsible sourcing). Vendors may be asked to report high-level ESG metrics relevant to the engagement.

This Code complements, and does not replace, binding contract terms and applicable ClinicBooking policies, including (as applicable): Terms of Service, Privacy Policy, Professional Participation, DMCA/IP Policy, Data Processing Addendum, and HIPAA BAA (if required).